Some Significant
& Representative

Cyber Insurance Cases

First Period 

Michael
Sean Quinn, Ph.D, J.D., Etc.

1300 West Lynn #208
Austin,
Texas 78703

(o)
512-296-2594

(c)
512-656-9759

There are not very many reported cyber
insurance cases.  There are plenty of
civil (and criminal cases) about the so-called cyber-world), but direct,
focused, coverage, or similar cases are very few in number—almost none in the
Twentieth Century.   There were more in
the early Twentieth Century, but as they have evolved, the topics of those
cases are probably passé.  There are many
more cases now; that arises from (1) the exponential growth of computer
technology, following what is called “Moore’s Law”—something which is not a
scientific law at all, (2) the increasing number of diverse insurance policies
offered, sold  and bought, and (3) the
growth of the market’s need for cyber-lawyers
Category (3) to a degree of certainty vastly exceeding that of  Moore’s Law, where the market wants
transactional lawyers, it will need litigation lawyers.

I.                  
Two Cases of the
“Early Period”

Most cyber insurance judicial analyses
of 10 or more years, 1994-2004 approximately, concerned two principal issues.
They concerned insurability of interactions between the cyber-world and the
real-world.  There were a number of these
cases, but most are not worthy of 
substantive, attention nowadays, at least for the purposes of this blog,
given what the insurance issues turned on, to wit: what counted as a material
object and how the various policies interacted with that conceptualization.
(Don’t let me mislead you into the idea that they are unworthy of being cited
in briefs, etc.  Many of the subordinate
citations in briefs, coverage opinion letters, law review articles, and so
forth are designed to show that there is or has been wide agreement as to some
proposition(s) of law under at least some circumstance. This is valuable in and
of itself, though not always necessary, for example, in this essay.)

It seemed and seems obvious that
cyber-world events can causally impact the real-world in a variety of insurable
ways. Elements of the cyber-world can inflict damages on material object. They
can cause physical injury to tangible property and/or the loss of the use of it
whether physically damaged or not. They can also cause bodily injury. Here is
an example, sort of.  According to a
recent article in the trade periodical Business
Insurance,
insurance companies are designing a new maritime policy designed
to insure against bodily and property damages caused by cyber risks. AIG is
apparently the leader of this fraction of the industry, it is reported. Judy
Greenwald, Insurers Develop Cyber Cover
for Maritime Industry
(May 12, 2014).

The question asked in lawsuits and
elsewhere is the reverse of this. Can events in the real world cause injuries
to parts of the cyber world, e.g., data. The insurance questions asked are like
this: Can negligent work in the real world cause covered injuries to
inhabitants of the cyber world?  And
here’s another one: If there is negligent work repairing a computer that
damages the computer, do consequences of the damage to a tangible physical
object cause insurable injuries in the cyber world?

  

These are questions about interactions
between the real world and the cyber world. Notice that the cyber insurance
questions are to be answered differently, perhaps, than the non-insurance
questions.  This makes the meaning of the
insurance policies crucial to these disputes. 
That should come as a surprise to no one.

Although the current near consensus on
the insurance is “No,” at least for standard policies of the real world, e.g.,
the CGL policy, there are aggressive plaintiff’s lawyer who try to pursue the
opposite conclusion, for example, in some class actions. The now established
proposition regarding insurance questions was recognized as nonsense for bodily
injury and property damage quickly because of the idea that tangibility
was built into the idea of property in most first and many third party
policies.

At the same time, it must be remembered
that CGL policies also cover some physical non-injuries. An example of the
opposite in the first party case is the insuring of money, stamps, bonds,
ideas, and so forth. All of these ideas are built into some third party
policies, CGL’s coverage B is like this. There are more. Legal malpractice is
like that, as will be discussed briefly in §IV, as are copyrights on music. It
has been mostly taken as true that a physical object could not cause physical
injury to components of the cyber world, since they are usually understood not
to be material objects, though it was conceded that such a thing could happen
in a number of ways, (none of them leading to insurance under a CGL type policy).
It doesn’t even work for legal malpractice, etc., because the immediate injury
is what is inflicted on a person, whether a real person or an abstract entity,
often also called a “person.” 
Nevertheless, a few—very few—“ancient” cases reached an opposite
conclusion, saying that the destruction of data can, under some come
circumstances, be property damage.

The second question is the reverse of
the first question. How should damages inflicted on components of the
cyber-world by the real-world be thought about? 
The received answer is that since the components of the cyber-world are
not tangible, they cannot be property, and so there is no coverage under
CGL-type policies. This observation is true even if what is called “the
cyber-world” and the “real-world,” i.e. the material world, are really part of
one world.

Here, are two examples of cases in those
early days. In one case, the court found that the definition of “property
damage” was ambiguous and therefore covered data.  The opposite, however, was decided in the
other case.

One case that is regarded as a leading
case is Ward General Insurance Services
v. Employers Fire Insurance Company,
114 Cal. App. 4th 548
(2003).  The facts are simply described,
even if they were not simple in real life. 
The plaintiff was working on a computer; there was a human error; data
was lost. It cost the plaintiff over $250,000 to restore the data and caused
business interruption. The question was whether the loss of the data was a
“direct physical loss.” Both the trial court and the court of appeals said
“No”:

The
word “physical” is defined, inter alia, as “having material existence” and
“perceptible esp. through the senses and subject to the laws of nature.”
(Merriam-Webster’s Collegiate Dict. (10th ed. 1993) p. 875.)
“MATERIAL implies formation out of tangible matter.” (Id. at p. 715.) “Tangible” means, inter alia, “capable of being
perceived esp. by the sense of touch.” (Id.
at p. 1200.) Thus, relying on the ordinary and popular sense of the words, we
say with confidence that the loss of plaintiff’s database does not qualify as a
“direct physical loss,” unless the database has a material existence, formed
out of tangible matter, and is perceptible to the sense of touch.

A
“database” is a “large collection of data organized esp. for rapid search and
retrieved (as by a computer).” (Merriam-Webster’s Collegiate Dict. (10th
ed. 1993) p. 293.) “Data is defined, quite simply, as factual or numerical
“information.” (Ibid.) Thus, the loss
of a database is the loss of organized information, in this case, the loss of
client names, addresses, policy renewal dates, etc.

 We fail to see how information, qua
information, can be said to have a material existence, be formed out of
tangible matter, or be perceptible to the sense of touch. To be sure,
information is stored in a physical medium, such as a magnetic disc or tape, or
even as papers in three-ring binders or a file cabinet, but the information
itself remains intangible
. [Emphasis added.]  Here, the loss suffered by plaintiff was a
loss of information, i.e., the sequence
of ones and zeroes stored by aligning small domains of magnetic material on the
computer’s hard drive in a machine readable manner. Plaintiff did not lose the
tangible material of the storage medium. Rather, plaintiff lost the stored
information. The sequence of ones and zeroes can be altered, rearranged, or
erased, without losing or damaging the tangible material of the storage medium.

A case cited for the proposition that
data is a physical object and therefore sustains “property damage” when
destroyed or made unusable, is a Texas case. (This does not say that “data
damage” is “property damage,”). Lambrecht
& Associates v. State Farm Lloyds
, 119 S.W.3d ___(Tex.
App.–Tyler, 2003 pet.). There were two separate arguments being used in this
case, although they are not separated. 

The court noted that, there are cases
holding that data are physical objects and hence that they sustain “property
damage” when injured. Those cases “focus on the physical nature of the data
itself and debate whether or not it can be dissolved into a quantitative mass
or is merely transcendental.” Instead, “the losses alleged by [the plaintiff] are
covered by the policy as can be determined by analyzing the policy itself.  We need not attempt to compose such an
erudite thesis because”  the issue can be
resolved by analyzing the policy.

Here the policy contained provisions
that explicitly determined coverage. First the policy indicated that it covered
damages to personal property of a business of the policyholder at a covered
location.  What was damaged was the
server; it is incontestable that servers are physical objects; and it was
rendered useless.  That’s obviously
covered.  In order to fix it, or restore
it, there had to be the finding of, or otherwise dealing with, the server’s
function, and the sort of substance upon which it did its work. (It seems to me
that it would not matter whether that was physical or not. That, however, was
not an explicit issue in this case.)

The court’s also considered that the
policy explicitly said in its loss of income section that “electronic media and
records” are covered.  In turn, that
phrase is defined in part as [a] “electronic data processing, recording or
storage media such a films, tapes, discs, drums or cells; [b] data stored on
such media; or [c] programming records used for electronic data processing. . .
.”  On the basis of this language, the
court held “that the plain language of the policy dictates that the personal
property losses alleged by [the plaintiff] 
were ‘physical’ as a matter of law.” 
Section [b] it seems to me, makes this conclusion obvious and iron
clad.  This conclusion, however, implies
nothing about policies that do not have this or this kind of language in them.

Alas, the issue regarding property
damage in these kinds of cases has not completely croaked.  It gets revived from time to time.  However, it usually arises about cases in
which huge amounts of information are released; the insured commercial entity,
often a large retail entity, is subject to a class action, and it sues its insurer
for coverage.  Bodily injury and property
damages claims in the underlying lawsuit usually were never serious, except to
try to trigger a duty to defend, and they drop out of serious contention
quickly.  

The question asked in lawsuits and
elsewhere is the reverse of this. Can events in the real world cause insured
injuries to parts of the cyber world, e.g., data?  The insurance questions asked are like this:
Can negligent work in the real world cause covered injuries to inhabitants of
the cyber world?  And here’s another one:
If there is negligent work repairing a computer that damages the computer, do
consequences of the damage to a tangible physical object cause insurable injuries
in the cyber world?  Remember. Two of the
main categories of covered injuries or damages in standard policies in the
so-called real world are bodily injury and injury to tangible
property.

These are questions about interactions
between the real world and the cyber world. Notice that the cyber insurance
questions are to be answered differently, perhaps, than the non-insurance
questions.  This makes the meaning of the
insurance policies crucial to these disputes. 
That should come as a surprise to no one.

Although the current near consensus on
the insurance is “No,” at least for standard policies of the real world, e.g.,
the CGL policy, there are aggressive plaintiff’s lawyer who try to pursue the
opposite conclusion, for example, in some class actions. The now established
proposition regarding insurance questions was recognized as nonsense for bodily
injury and property damage quickly because of the idea that tangibility
was built into the idea of property in most first and many third party
policies.

At the same time, it must be remembered
that CGL policies also cover some physical non-injuries. An example of the
opposite in the first party case is the insuring of money, stamps, bonds,
ideas, and so forth. All of these ideas are built into some third party
policies, CGL’s coverage B is like this.  There perils in that coverage—its “Coverage
B”—that do not require tangibility as the human body and physical property do.
There are more; copyright violations, e.g., on music and videos are a couple;
sometimes patent  torts are another; and
most important some forms of privacy are yet another.  (Various kinds of malpractice are covered in
real-world policies, and some of them may cover conduct “in” the cyber
world.  Med mal cannot be like that, for
obvious reasons.) It has been mostly taken as true that a physical object could
not cause physical injury to components of the cyber world, since they are
usually understood not to be material objects, though it was conceded that such
a thing could happen in a number of ways, (none of them leading to insurance
under a CGL type policy). It doesn’t even work for legal malpractice, etc.,
because the immediate injury is what is inflicted on a person, whether a real
person or an abstract entity, often also called a “person.”  Nevertheless, a few—very few—“ancient” cases
reached an opposite conclusion, saying that the destruction of data can, under
some come circumstances, be property damage. There will be further discussion
of Coverage B a later blog.

The second question is the “reverse” of
the first question. How should damages inflicted on components of the
cyber-world by the real-world be thought about? 
The received answer is that since the components of the cyber-world are
not tangible, they cannot be physical property, and so there is no coverage
under CGL-type policies. This observation is true even if what is called “the cyber-world”
and the “real-world,” i.e. the material world, are really part of one world.

Whether there is coverage for something,
and this will be determined by analyzing the insurance policy itself.  We need not attempt to compose such an systematic
and erudite theory as to potential coverages, because the issues can be
resolved by analyzing the relevant insurance policy, and—actually—not
otherwise.

Here the policy contained provisions
that explicitly determined coverage. First the policy indicated that it covered
damages to personal property of a business of the policyholder at a covered
location.  What was damaged was the
server; it is incontestable that servers are physical objects; and it was
rendered useless.  That’s obviously
covered.  In order to fix it, or restore
it, there had to be the finding of, or otherwise dealing with, the server’s
function, and the sort of substance upon which it did its work. (It seems to me
that it would not matter whether that was physical or not. That, however, was
not an explicit issue in this case.)

Alas, the issue regarding property
damage in these kinds of cases has not completely croaked.  It gets revived from time to time.  However, it usually arises about cases in
which huge amounts of information are released; the insured commercial entity,
often a large retail entity, is subject to a class action, and it sues its insurer
for coverage.  Bodily injury and property
damages claims in the underlying lawsuit usually were never serious, except to
try to trigger a duty to defend, and they drop out of serious contention quickly.
 Nevertheless, a few—very few—“ancient”
cases reached an opposite conclusion, saying that the destruction of data can,
under some come circumstances, be “property damage.”  This view can’t be right. Property in the
cyber world is not tangible.



Just how dead the property damage issue is during the Second Period will be come clear at the end of the next section. Early
in 2012 the Appellate Court of Connecticut decided a case styled
Recall Total Information Management v.
Federal Insurance Company,
147 Conn. App. 450 (Conn. App. January 14,
2014). Some have suggested that it may have been an attempt to  resurrect the themes of the “First
Period.”  That’s the wrong answer, but
this is not the place to prove it.  It isn’t just the wrong answer; rather it’s like saying the Trojan House is an Andalusian given to the Greeks by the Trojans as a comforting gift for the Greeks once they had accepted their defeat and decided to go home across the blue 
Aegean and to leave Helen behind in Turkey to tend her 6 kids. 

Originally posted on 07/26/2014 @ 8:03 pm

Michael Sean Quinn, PhD, JD, CPCU, Etc

Michael Sean Quinn, PhD, JD, CPCU, Etc. (530)

One of Texas's leading insurance scholars, Michael Sean Quinn is a past chair of the Insurance Section of the State Bar of Texas and has a broad legal practice.

Hits: 0